7:30 p.m.
Server:
=====
[root@sfca-do-4 ~]# ipa --version
VERSION: 4.4.4, API_VERSION: 2.215
[root@sfca-do-4 ~]# cat /etc/fedora-release
Fedora release 25 (Twenty Five)
Client Node:
=====
root@sfca-do-1:~# ipa-client-install --version
4.3.1
root@sfca-do-1:~# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
I should also mention that my Ubuntu 14.04 nodes cannot join either, and
they have different freeipa-client versions in their repos and are
throwing some different log data if that's of any possible help. The
only system that's been able to ipa-client-install join is the IPA
replication mate which is running the same rev of Fedora and
ipa-client/server.
Some more background, these servers for this client were recently built
and configured to use letsencrypt certificates so they can provide
public and ssl-accepted interfaces to users that this client services.
Not sure if certificates and CAs could perhaps be playing into a
client-join (since I see no complaint about them in the install logs on
this client), but wanted to mention it anyway just in case there's some
reason that letsencrypt issued certs are perhaps factoring in. Other
clients I service have successfully used similar setups to what I'm
trying to build currently, but were running on the 3.x services of IPA.
This is my first pass at standing up functioning 4.x IPA servers.
Other replies inline.
On 1/17/18 2:36 PM, Rob Crittenden via FreeIPA-users wrote:
Chris Moody wrote:
> Thanks for taking a look gents. Ask and ye shall receive. :)
>
What version of IPA is this and what platform?
Before an install can you ensure that there is nothing in
/etc/krb5.conf.d/ (except may be crypto-policies)?
There is no /etc/krb5.conf.d/
dir on the client node. I have tried with
both the system defaults in the /etc/krb5.conf file as well as with the
contents generated/output by the ipa-client-install command as I
mentioned initially if that's the component you're questioning.
Same with /var/lib/sss/pubconf/krb5.include.d/
On client node:
root@sfca-do-1:~# ls -l /var/lib/sss/pubconf/krb5.include.d/
total 0
Might also be interesting to try to force a specific master by adding
--server <fqdn of master> to the install line, just to see.
I'm guessing the client is old as it doesn't appear to support the
newer-style ipa-getkeytab:
Hmm... This client is fully updated/upgraded for any
packages installed
via the Ubuntu repos. Is the client version 4.3.1 not recent? I can
manually add a different repo or pull source if need be to get whichever
client version you think might help.
2018-01-17T02:11:50Z DEBUG args=/usr/sbin/ipa-join -s
sfca-do-4.ipa.xyz.com -b dc=ipa,dc=xyz,dc=com -h sfca-do-1.xyz.com
2018-01-17T02:11:51Z DEBUG Process finished, return code=0
2018-01-17T02:11:51Z DEBUG stdout=
2018-01-17T02:11:51Z DEBUG stderr=Failed to parse result: Failed to
decode GetKeytab Control.
Retrying with pre-4.0 keytab retrieval method...
Keytab successfully retrieved and stored in: /etc/krb5.keytab
Certificate subject base is: O=IPA.xyz.COM
2018-01-17T02:11:51Z INFO Enrolled in IPA realm IPA.xyz.COM
It does look like it enrolls ok and gets a keytab.
Note too that just about this it is able to get a TGT for the admin user
via kinit:
2018-01-17T02:11:50Z DEBUG args=/usr/bin/kinit admin(a)IPA.xyz.COM -c
/tmp/krbccCNSUmS/ccache
The only difference between Kerberos usage between the enrollment and
the rest is that during enrollment a fixed KDC is defined in the
temporary krb5.conf:
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = IPA.xyz.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
IPA.xyz.COM = {
kdc = sfca-do-4.ipa.xyz.com:88
master_kdc = sfca-do-4.ipa.xyz.com:88
admin_server = sfca-do-4.ipa.xyz.com:749
default_domain = xyz.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.xyz.com = IPA.xyz.COM
xyz.com = IPA.xyz.COM
It is failing trying to autodiscover things later:
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = IPA.xyz.COM
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
IPA.xyz.COM = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.xyz.com = IPA.xyz.COM
xyz.com = IPA.xyz.COM
Discovery appears to be working as expected:
2018-01-17T02:11:41Z DEBUG Search DNS for TXT record of _kerberos.xyz.com
2018-01-17T02:11:41Z DEBUG DNS record found: "IPA.xyz.COM"
2018-01-17T02:11:41Z DEBUG Search DNS for SRV record of
_kerberos._udp.xyz.com
2018-01-17T02:11:41Z DEBUG DNS record found: 10 100 88
sfca-do-4.ipa.xyz.com.
So I'm not entirely sure what is happening.
rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org